THE PRIVACY AGENDA
BY SIMON CHESTER
Privacy Emerges as a Plum Target for New Business—and aCritical Component of the Management Agenda
Private I vs. Public You. Just a few months ago, pundits were proclaiming this the Privacy Age. With the world becoming ever more wired, the need to protect the fragility of individual autonomy and identity seemed undeniable. Privacy was certain to be the business challenge of the millennium. Privacy seals would be the next big thing, and privacy compliance audits would be key to the next wave of legal business. Privacy imperatives were also set to appear at the top of every law firm policy agenda.
Then September 11 came. The train of history turned a corner. And the privacy revolution no longer seemed a sure thing.
Has the privacy challenge simply evaporated in the face of emerging security issues? I think not. There are few certainties in this new world, and events of recent months do place privacy in a new light. But fundamentally, the issues of burgeoning technology and the attendant ability to gather and dissect personal information will continue to raise problems and reveal opportunities for lawyers. New legislative powers will continue to be measured against treasured constitutional principles. Courts will be required to limit how far privacy must be surrendered. The technologies of interception and surveillance will continue to spread. There’s work for lawyers to do.
Out of Dusty Ledgers: Practice Opportunities Emerge
Every generation a new area of law emerges that can be recognized as a distinct conceptual and business domain. Securities regulation, environmental law and even family law appeared in response to social imperatives. Privacy law is being formed in the same way today.
Almost 20 percent of the firms listed in the AmLaw 100 have a privacy practice group. Such groups—in firms large and small—are bringing together business, litigation, financial services and employment lawyers with members of the high-tech and government regulation sectors. Dozens of law schools are placing privacy on the curriculum for tomorrow’s lawyers. You can tell that something has happened—and that new practice opportunities exist.
The primary spur, of course, comes from growing legislative and regulatory initiatives on privacy. These are coupled with the nagging worry of businesses that they have too casually entrusted core processes to marketing and techie types, without ensuring full involvement by legal professionals. Businesses are interested, frankly, in staying out of trouble.
For its part, privacy regulation is being fueled by public concerns about seeming oceans of personal information filling public and private databanks, about ever more invasive and precise ways of mining this data, and about the Internet’s surging ubiquity. True, government dossiers have long held treasured secrets. But somehow this was less worrying when the data was kept in dusty ledgers and viewed by government eyes only. Now there’s the prospect of voyeurs or entrepreneurs trawling through such records at the speed of light from half a world away. It’s transforming perceptions of both the records and the threat. And it’s providing the impetus for building related law practices. Is it time for you to form a privacy practice? If so, what will it involve?
Privacy as a Law Firm Enterprise: Services and Clients
What constitutes a privacy practice group? What sort of work does it do, and for whom? Ultimately, the specific nature of the practice will turn on your clients and their business needs, and how directly they face privacy issues. But a fast look at law firm Web sites sketches a tantalizing set of possibilities. Here are problems that existing practices are working with:
E-commerce privacy protection
Children and online privacy
Privacy in government contracts
Information and systems security
Corporate privacy policies and industry privacy codes
Privacy compliance programs and privacy training
Company recruitment of chief privacy officers
Web bugs, wiretaps and electronic surveillance
Biometrics, including facial recognition technology
Licensing, outsourcing and personal information
Documents containing personal information on insolvency
International data transfer
Privacy notices for Web sites
Privacy protection for European contracts
Who are the clients for legal services in these areas? Remember that information is the fuel of the new economy. So any information-rich business is rife with privacy issues. Consider financial institutions, credit bureaus and marketing companies. Consider any business on the Internet that goes beyond passive brochure-ware. But also consider that every retail operation has massive quantities of data. The inventory control systems that build on bar-code swiping match neatly with the pervasive use of credit and debit cards to let retailers build consumer profiles.
At bottom, privacy issues affect any business with customers or employees. In other words, virtually every business client is a privacy client as well.
Privacy as an Internal Issue: Priorities and Procedures
Law firms also are information-rich. Consequently, firms must recognize that privacy is an immediate challenge for themselves as well as for their clients. Every firm should put privacy on its policy agenda—as a client need, a business challenge and a priority for its Web designers and accounting and systems departments. Take every precaution to protect the client information in your office. Check firewalls for vulnerability. Hire programmers to test the firm system’s security against hackers. Always be cognizant that the technology within a law firm is a key strength, but it is a vulnerability, too. It’s the backdoor into our clients’ secrets. (See the sidebar on page 30 for tips on protecting your information.)
Equally important, as employers, law firms should take the lead in protecting the personal information of everyone on the legal services delivery team. This means undertaking the following:
Examine the physical and electronic security of personnel files.
Safeguard health information.
Protect the identity of those who take advantage of employee assistance programs.
Develop clear written policies on employee expectations of privacy. For example, does your firm reserve the right to inspect hard drives or read e-mail? If so, clearly tell employees what to expect.
Train staff on the importance of privacy. Set up systems that require, among other things, that passwords be changed every month or two.
Ensure that departing employees are severed electronically from the firm. Do so before, not after, giving employees a termination notice.
The practice opportunities and firm issues discussed so far may only be the tip of the iceberg. To date, the United States has eschewed comprehensive privacy protection legislation in favor of specific sectoral measures. However, change is clearly afoot.
For almost 30 years, the credit bureaus that have data on the vast majority of the population have been regulated by the Federal Trade Commission under the Fair Credit Reporting Act. But recent consumer surveys show that fully 70 percent of U.S. adults are still concerned about the security of their financial information. Rest assured, this fact will drive law making. In some ways, it already has.
The 1999 Gramm-Leach-Bliley Act required financial institutions to notify consumers about privacy protection and disclosure policies. Six months later, regulators reckoned the exercise a failure, since the banks could not clearly communicate how they in fact protect privacy. The notices may have met legal compliance requirements, but they made consumers none the wiser. (See the sidebar on page 27 for how this affects your law practice.)
On the flip side, the end of 2001 brought significant shifts across the world in compromising privacy in favor of other interests. The USA Patriot Act of October 26, 2001, for example, lengthens the long arm of criminal enforcement to the Internet. It extends "pen registers" and "traps and traces" to let police access e-mails, voice mails and computer information. It requires no subpoena or court authorization to tap into electronic communications involving a computer trespasser, who will have no reasonable expectation of privacy. And tools that prove effective in antiterrorism could be extended into other sectors. Such legislation portends long and unforeseen consequences.
At this point, the FTC is ultimately the agency most centrally concerned with privacy regulation. For a number of years, the FTC has surveyed the level of privacy protection in Web-based commerce. The results are consistent: Most Web sites fail miserably at either protecting privacy or describing how they do so. And all this comes at a time when consumer surveys consistently indicate that shoppers will not flock to online sales until they are confident about the protection of their personal information.
The FTC’s chair, Timothy Munis, is now targeting companies that fail to respect existing privacy laws. The agency has asked that its privacy enforcement budget be increased 50 percent in 2002. The Bush administration says it is not planning major privacy legislative initiatives—but, we can expect congressional members to introduce a number of measures this year.
Lawyers and clients outside of the United States have had to adjust to regulation to protect privacy. Across Europe, national laws have shifted to comply with the Brussels Data Protection Directive. The Canadian Parliament has legislated that every private business must respect private-sector privacy regulation by 2004, at the latest. Australian businesses are scrambling to react to new laws introduced late last year. And this past July, Microsoft, Intel, Procter and Gamble and Hewlett-Packard announced their adherence to the so-called Safe Harbor Principles, brokered to meet tough E.U. data export standards. (Interestingly, these companies pledged that the entirety of their global operations would meet the same rules.)
The technological and consumer imperatives that are driving these initiatives will not leave the United States untouched.
What all this portends is a maelstrom of policy activity. In calmer, more normal times, the response to an issue like the proper balance between privacy and security might center on technological innovation and competitive market responses. Those alternatives would obviate the need for congressional action on privacy. Building protections into code or embracing privacy-enhancing standards is arguably more flexible than the rigid provisions of the statute book. In these times, though, the only safe prediction is the unexpected—and panicked politicians often reach for extreme measures.
Will Lawyers Seize the Day?
Don’t assume that the post-September 11 policy shift has changed the underlying social and technological dynamics of today’s world. The tools to exploit personal information and deliver precisely targeted goods and services for micro-markets will not become obsolete. Technology is like the Alps. You can cope with it, or wait eons for it to crumble.
Simon Chester (firstname.lastname@example.org), a partner in the KNOWlaw Group at Toronto’s McMillan Binch, has been advising businesses on privacy issues for more than 15 years.